IS FREE ELEC 3

Lecture 1 – Auditing and Internal Control

  Business organizations undergo different types of audits for
different purposes.

OVERVIEW OF o External (Financial) Audits

o Internal Audits
AUDITING
o Fraud Audits
 An independent attestation performed by an expert – the auditor
– who expresses an opinion regarding the presentation of financial
statements.
 attest service – is performed by Certified Public Accountants
(CPA) who work for public accounting firms that are independent
of the client organization being audited.
External  The audit objective is always associated with assuring the fair
(Financial) presentation of financial statements.
 The Securities and Exchange Commission (SEC) requires all
Audits publicly traded companies to be subject to a financial audit
annually.
 Key concept of this process is independence
 CPAs conducting such audits represent the interest of outsiders,
stockholders, creditors, government agencies, and the general
public.
  Attest service – an engagement in which a practitioner is
engaged to issue, or does issue, a written communication that
expresses a conclusion about the reliability of a written assertion
that is the responsibility of another party. [SSAE No. 1, AT Sec.
Attest Service 100.01]
 Requirements that apply to attestation services:
versus o Attestation services require written assertions and a practitioner’s
Advisory written report.
o Attestation services require the formal establishment of
Services measurement criteria or their description in the presentation.
o The level of service in attestation engagements are limited to
examination, review, and application of agreed-upon procedures.
  Advisory services - are professional services offered by public
accounting firms to improve their client organizations’ operational
efficiency and effectiveness.
Attest Service
 The domain of advisory services is intentionally unbounded so
versus that it does not inhibit the growth of future services that are
currently unforeseen.
Advisory
 Examples of advisory services: actuarial services, business advice,
Services fraud investigation services, information system design and
implementation, and internal control assessments for compliance
with SOX.
  Prior to the passage of SOX, accounting firms could provide
advisory services concurrently to audit (attest function) clients.
SOX legislation, however, greatly restricts the types of nonaudit
services that auditors may render audit clients.
Attest Service
 The advisory services units of public accounting firms responsible
versus for providing IT control-related client support have different
names in different firms, but they all engage in tasks known
Advisory collectively as IT risk management.
Services These groups often play a dual role within their respective firms;
they provide nonaudit clients with IT advisory services and also
work with their firm’s financial audit staff to perform IT-related
tests of controls as part of the attestation function.
  Internal Auditing – an independent appraisal function established
within an organization to examine and evaluate its activities as a
service to the organization. ~ Institute of Internal Auditors (IIA) ~
 Activities performed by internal auditors:
o conducting financial audits
o Examining an operation’s compliance with organizational policies
o Reviewing the organization’s compliance with legal obligations
Internal Audits o Evaluating operational efficiency
o Detecting and pursuing fraud within the firm

 Internal audit is typically conducted by auditors who work for the

organization but this task may be outsourced to other organizations.
 Internal auditors are often Certified Internal Auditors (CIA) or a Certified
Information Systems Auditor (CISA)
 Internal auditors represent the interest of the organization.
  The objective of fraud audit is to investigate anomalies and
gather evidence of fraud that may lead to criminal conviction.
 Sometimes fraud audits are initiated by corporate management
who suspect employee fraud. Alternatively, board of directors
Fraud Audits may hire fraud auditors to look into their own executives if theft of
assets or financial fraud is suspected.
 Typically, fraud auditors have earned the Certified Fraud
Examiner Certification (CFE), which is governed by the Association
of Certified Fraud Examiners (ACFE).
  The board of directors of publicly traded companies form a
subcommittee known as the audit committee, which has special
responsibilities regarding audits.
 This committee is usually consists of three people who should be
outsiders.
The Role of the  At least one member must be a financial expert
Audit  The audit committee serves as an independent “check and
Committee balance” for the internal function and liaison with external
auditors.
 SOX mandates that the external auditors now report to the audit
committee who hire and fire auditors and resolve disputes.
  To be effective, the audit committee must be willing to challenge
The Role of the the internal auditors (or the entity performing the function) as well
as management, when necessary.
Audit  Part of its role is to look for ways to identify risk.
Committee  In general, it becomes an independent guardian of the entity’s
assets by whatever means is appropriate.
  The product of the attestation function is a formal written report
that expresses an opinion about the reliability of the assertions
contained in the financial statements.
 The auditor’s report expresses an opinion as to whether the
Financial Audit financial statements are in conformity with general accepted
accounting principles (GAAP); external users of financial
Components statements are presumed to rely on the auditor’s opinion about
the reliability of financial statements in making decisions.
 Users must be able to trust in the auditor’s competence,
professionalism, integrity, and independence.
  Classes of Auditing Standards:
1) General qualification standards
2) Field work standards
3) Reporting standards
Financial Audit
Components:  GAAS establishes a framework for prescribing auditor performance, but
it is not sufficiently detailed to provide meaningful guidance in specific
Auditing circumstances.

Standards  To provide specific guidance, the American Institute of Certified Public

Accountants (AICPA) issues a Statements on Auditing Standards (SASs) as
authoritative interpretations of GAAS. SAASs are often referred to as
auditing standards.
  Conducting an audit is systematic and logical process that
applies to all forms of information systems.
 While important in all audit settings, a systematic approach is
Financial Audit particularly important in the IT environment.
Components:  The lack of physical procedures that can be visually verified and
evaluated injects a high degree of complexity into the IT audit
A Systematic (e.g. the audit trail may be purely electronic, in a digital form, and
thus invisible to those attempting to verify it).
Process
 A logical framework for conducting an audit in the IT
environment is critical to help the auditor identify all important
processes and data files.
Financial Audit  The organization’s financial statements reflect a set of
Components: management assertions about the financial health of the entity.

Management  The task of the auditor is to determine whether the financial

statements are fairly presented.
Assertions and The auditor establishes audit objectives, designs procedures, and
Audit gathers evidence that corroborate or refute management’s
assertions.
Objectives
  Categories of Assertions:
1) The existence or occurrence assertion affirms that all assets and
equities contained in the balance sheet exist and that all
transactions in the income statement actually occurred.
Financial Audit 2) The completeness assertion declares that no material assets,
Components: equities, or transactions have been omitted from the financial
statements.
Management 3) The rights and obligations assertion maintains that assets
appearing on the balance sheet are owned by the entity and that
Assertions and the liabilities reported are obligations.

Audit 4) The valuation or allocation assertion states that assets and

equities are valued in accordance with GAAD and that allocated
Objectives amounts such as depreciation expense are calculated on a
systematic and rational basis.
5) The presentation and disclosure assertion alleges that financial
statements are correctly classified and that footnote disclosures
are adequate to avoid misleading the users of financial statements.
  Auditors seek evidential matter that corroborates management
assertions.
Financial Audit In the IT environment, this process involves gathering evidence
Components: relating to the reliability of computer controls as well as contents
of databases that have been processed by computer programs.
Obtaining  Evidence is collected by performing tests of controls, which
Evidence establish whether internal controls are functioning properly, and
substantive tests, which determine whether accounting databases
fairly reflect the organization’s transactions and account balances.
  The auditor must determine whether weaknesses in internal
Financial Audit controls and misstatements found in transactions and account
balances are material.
Components:
In all audit environments, assessing materiality is an auditor
Ascertaining judgement. In an IT environment, however, this decision is
complicated further by technology and a sophisticated internal
Materiality control structure.
  Audit risk is the probability that the auditor will render an
unqualified (clean) opinion on financial statements that are, in
fact, materially misstated.
 Material misstatements may be caused by errors or irregularities
AUDIT RISK or both.
 Errors are unintentional mistakes.
 Irregularities are intentional misrepresentations associated with
the commission of a fraud such as the misappropriation of physical
assets or the deception of financial statement users.
  The auditor’s objective is to achieve a level of audit risk that is
acceptable to the auditor.
Audit Risk  Acceptable audit risk (AR) is estimated based on the ex ante value
Components of the components of the audit risk model.
  Inherent risk - is associated with the unique characteristics of
the business or industry of the client.
 Firms in declining industries have greater inherent risk than firms
in stable or thriving industries. Likewise, industries that have a
heavy volume of cash transactions have a higher level of inherent
risk than those that do not.
 Placing a value on inventory when the inventory value is difficult
Inherent Risk to assess due to its nature is associated with higher inherent risk
than in situations where inventory values are more objective.
 Example: The valuation of diamonds is inherently more risky than
assessing the value of automobile tires.
 Auditors cannot reduce the level of inherent risk. Even in a
system protected by excellent controls, financial data and,
consequently, financial statements, can be materially misstated.
 Control risk - is the likelihood that the control structure is flawed
because controls are either absent or inadequate to prevent or
detect errors in the accounts.
 Example: Consider the following partial customer sales record,
which is process by the sales order system:
Inherent Risk Quantity Unit Price Total
10 units $20 $2,000
Assuming the Quantity and Unit Price fields in the record are
correctly presented, the extended amount (Total) value of $2,000 is
in error. An accounting information system (AIS) with adequate
controls should prevent or detect such an error. If however, controls
are lacking and the value of Total in each record is not validated
before processing, then the risk of undetected errors entering the
data file increases.
  Auditors assess the level of control risk by performing tests of
internal controls.
 In the preceding example, the auditor could create test
Inherent Risk transactions, including some with incorrect Total values, which are
processed by the application in attest run. The results of the test
will indicate that price extension errors are not detected and are
being incorrectly posted to the accounts receivable file.
  Detection Risk – is the risk that auditors are willing to take that
errors not detected or prevented by control structure will also not
be detected by the auditor.
 Auditors set an acceptable level of detection risk (planned
Detection Risk detection risk) that influences the level of substantive tests that
they perform.
 For example, more substantive testing would be required when
the planned detection risk is 10 percent than when it is 20 percent.
  Financial auditors use the audit risk components in a model to
determine the scope, nature, and timing of substantive testing.
The audit risk model is
AR = IR x CR x DR

Assume that the acceptable audit risk is assessed at a value of 5%,

consistent with the 95% confidence interval associated with statistics.
By illustration, assume IR is assessed at 40%, and Cr is assessed at
Audit Risk 60%. What would be the level of planned detection risk (DR) needed
to achieve the acceptable audit risk (AR) of 5%?
Model
5% = 40% x 60% x DR
DR = .05/.24
DR = .20
Let’s now reduce the control risk (CR) value to 40% and recalculate
DR.
5% = 40% x 40% x DR
DR = .31
  Notice that to achieve an acceptable level of audit risk in the
example, the auditor must set planned detection risk lower than
(20%) in the second example (31 percent). This is because the
Audit Risk internal control structure in the first example is more risky (60%)
than it is in the second case (40%). To achieve the planned
Model detection of 20% in the first example, the auditor will need to
perform more substantive tests than in the second example,
where the risk is lower.
  Tests of controls and substantive tests are auditing techniques
used for reducing audit risk to an acceptable level.
The  The stronger the internal control structure, as determined
Relationship through tests of controls, the lower the control risk and the less
substantive testing the auditor must do.
Between Tests  The more reliable the internal controls, the lower the CR
of Controls and probability. That leads to lower DR, which will lead to fewer
substantive tests being required. Because substantive tests are
Substantive labor intensive and time-consuming , they drive up audit costs and
exacerbate the disruptive effects of an audit. Thus, the
Tests management’s best interest are served by having a strong internal
control structure.
  An IT audit focuses on the computer-based aspects of an
IT AUDIT organization’s information systems; and modern systems employ
significant levels of technology.
  Audit Planning
Structure of an  Test of Controls
IT Audit Substantive Testing
  The first step in It audit is audit planning.
 Before the auditor can determine the nature and extent of the
tests to perform , he or she must gain a thorough understanding
of the client’s business.
 A major part of this phase is the analysis of audit risk.
Structure of an  The auditor’s objective is to obtain sufficient information about
IT Audit: Audit the firm to plan the other phases of the audit.
The risk analysis incorporates an overview of the organization’s
Planning internal controls. During the review of controls, the auditor
attempts to understand the organization’s policies, practices, and
structure.
 The auditor also identifies the financially significant applications
and attempts to understand the controls over the primary
transaction that are processed by these applications.
  The techniques for gathering evidence at this phase include
Structure of an conducting questionnaires, interviewing management, reviewing
systems documentation, and observing activities. During this
IT Audit: Audit process, the IT auditor must identify the principal exposures and
the controls that attempt tor educe theses exposures. Having
Planning done so, the auditor proceeds to the next phase, where he or she
tests the controls for compliance with pre-established controls.
  The objective of the tests of controls is to determine whether
adequate internal controls are in place and functioning properly.
 The auditor performs various test controls.
Structure of an
 The evidence-gathering techniques used in this phase may
IT Audit: Test include both manual techniques and specialized computer audit
techniques.
of Controls  At the conclusion of this phase, the auditor must assess the
qualities of the internal controls by assigning a level for control
risk.
  The third phase of the audit process focuses on financial data.
This phase involves a detailed investigation of specific account
balances and transactions through what are called substantive
Structure of an testing.
 For Example: A customer confirmation is a substantive test
IT Audit: sometimes used to verify account balances. The auditor selects a
Substantive sample of accounts receivable balances and traces these back to
their source- the customers – to determine if the amount stated is
Testing in fact owed by a bona fide customer. By doing so, the auditor
can verify the accuracy of each account in the sample. Based on
such findings, the auditor is able to draw conclusions about the fair
value of the entire accounts receivable set.
  Some substantive tests are physical, labor-intensive activities,
Structure of an such as counting cash, counting inventories in the warehouse, and
verifying the existence of stock certificates in a safe.
IT Audit:  In an IT environment, the data needed to perform substantive
Substantive tests (such as account balances, and names and addresses of
individual customers) are contained in data files that often must
Testing be extracted using Computer-Assisted Audit tools and
Techniques (CATTs) software.
  For brief history of internal control legislation, please read pages 12-
INTERNAL 14 of Information Technology Audit by James Hall.
CONTROL
  An organization’s internal control system comprises policies,
practices, and procedures to achieve four broad objectives:

INTERNAL 1) To safeguard assets of the firm

2) To ensure the accuracy and reliability of accounting records and
CONTROL: information
Objectives 3) To promote efficiency in the firm’s operations
4) To measure compliance with the management’s prescribed
policies and procedures
  Management Responsibility
This concept holds that the establishment and maintenance of
INTERNAL a system of internal control is a management responsibility.
CONTROL: Methods of Data Processing
Modifying The internal control system should achieve the four broad
objectives regardless of the data processing method used
Principles (whether manual or computer-based) . However, the specific
techniques used to achieve these objectives will vary with
different types of technology.
 Limitations
Every system of internal control has limitations on its
effectiveness.
a) The possibility of error- no system is perfect
b) Circumvention – personnel may circumvent the system
INTERNAL through collusion or other means
c) Management override – management is in a position to
CONTROL: override control procedures by personally distorting
transactions or by directing a subordinate to do so
Modifying d) Changing conditions – conditions may change over time
Principles so that existing effective controls may become
ineffectual.
Reasonable Assurance
Reasonableness means that the cost of achieving improved
control should not outweigh its benefits.
INTERNAL
 Preventive Controls
CONTROL:  Detective Controls
The PDC  Corrective Controls
Model
  Preventive Controls
o These are passive techniques designed to reduce the
INTERNAL frequency of occurrence of undesirable events.
o Preventive controls force compliance with prescribed or
CONTROL: desired actions and thus screen out aberrant events.
The PDC o Example: A well-designed data –entry screen. The logical
layout of the screen into zones that permit only specific
Model data, such as customer name, address, items sold, and
quantity, forces the data entry clerk to enter the required
data and prevents necessary data from being omitted.
  Detective Controls – are devices, techniques, and procedures
INTERNAL designed to identify and expose undesirable events that elude
preventive controls.
CONTROL:
 They reveal specific types of errors by comparing actual
The PDC occurrences to pre-established standards. When the detective
control identifies a departure from standard, it sounds an alarm to
Model attract attention to the problem.
  Corrective Control - actually fix the problem.
INTERNAL  For any error detected, there may be more than one feasible
solution.
CONTROL:  Linking a corrective action to a detected error, as an automatic
The PDC response, may result in an incorrect action that causes a worse
problem than the original error. For this reason, error correction
Model should be viewed as a separate control step that should be taken
cautiously.
  Components:
o Control environment
o Risk assessment
COSO Internal o Information and communication
Control o Control activities

Framework
  The control environment is the foundation for the other four
components. It sets the tone for the organization and influences
the control awareness of its management ad employees.
 Important elements are:
COSO Internal o The integrity and ethical values of the management
o The structure of the organization
Control o The participation of the organization’s board of directors and the
Framework: audit committee, if one exists
o Management philosophy and operating style
The Control o The procedures for delegating responsibility and authority
o External influences, such as examinations by regulatory agencies
Environment o The organization’s policies and practices for managing its human
resources
 For examples of techniques that may be used to obtain understanding of
the control environment according to SAS 109, please read pages 18-19 of
Information Technology Auditing by James Hall.
  Organizations must perform risk assessment to identify, analyze,
and manage risks relevant to financial reporting. Risks can arise or
change from circumstances such as:
COSO Internal o Changes in the operating environment that impose new or changed
competitive pressures on the firm
Control o New personnel who have a different or inadequate understanding of
internal control
Framework: o New or reengineered information systems that affect transaction
Risk processing
o Significant and rapid growth that strains existing internal controls
Assessment o The implementation of new technology into the production process
or information system that impacts transaction processing.
o The introduction of new product lines or activities with which the
organization has little experience.
COSO Internal o Organizational restructuring in the reduction and/or reallocation
of personnel such that business operations and transaction
Control processing are affected.
Framework: o Entering into foreign markets that may impact operations (that is,
the risks associated with foreign currency transactions).
Risk o Adoption of a new accounting principle that impacts the
Assessment preparation of financial statements
  The accounting information system consists of records and
COSO Internal methods used to initiate, identify, analyze, classify, and record the
organization’s transactions and to account for the related assets
Control and liabilities.
Framework:  The quality of information that the accounting information
system generates impacts management’s ability to take actions
Information and make decisions in connection with the organization’s
operations and to prepare reliable financial statements. An
and effective accounting information system will:
Communicatio o Identify and record all valid financial transactions.
n o Provide timely information about transactions in sufficient
detail to permit proper classification and financial reporting
COSO Internal
Control
Framework: o Accurately measure the financial value of transactions so their
effects can be recorded in financial statements
Information o Accurately record transactions in time period in which they
and occurred.

Communicatio
n
  Monitoring is the process by which the quality of internal control
design and operation can be assessed.
COSO Internal  This may be accomplished by separate procedures or by ongoing
activities.
Control  An organization’s internal auditor may monitor the entity’s
Framework: activities in separate procedures. They gather evidence of control
adequacy by testing controls and then communicate control
Monitoring strengths and weaknesses to management. As part of this
process, auditors make specific recommendations for
improvements to controls.
  Ongoing monitoring may be achieved by integrating special
computer modules into the information system that capture key
data and/or permit tests of controls to be conducted as part of
routine operations. Embedded modules thus allow management
COSO Internal and auditors to maintain constant surveillance over the
functioning of internal controls.
Control  Another technique for achieving ongoing monitoring is the
Framework: judicious use of management reports. Timely reports allow
managers in functional areas such as sales, purchasing,
Monitoring production, and cash disbursements to oversee and control their
operations. By summarizing activities, highlighting records, and
identifying exceptions from normal performance, well-designed
management reports provide evidence of internal control function
or malfunction.
COSO Internal  Control activities are the policies and procedures used to ensure
that appropriate actions are taken to deal with the organization’s
Control identified risks.
Framework:  Categories of control activities:
Control o physical controls
o information technology controls
Activities
  This class of controls relates primarily to the human activities
employed in accounting systems.
 Activities may be purely manual, such as the physical custody of
assets, or they may involve the physical use of computers to
record transactions or update accounts.
Physical
 Physical controls do not relate to the computer logic that actually
Controls performs accounting tasks. Rather, they relate to the human
activities that trigger and utilize the results of those tasks.
 Physical controls focus on people, but are not restricted to an
environment in which clerk updates paper accounts with pen and
ink.
Physical  transaction authorization
Controls: Segregation of duties
Categories of Supervision

Physical Accounting records

Access control
Control
Independent verification
Activities
  The purpose of transaction authorization is to ensure that all
natural transactions processed are valid and in accordance with
Physical management objectives.
Control:  Authorizations may be general or specific.
transaction General authority is granted to personnel to perform day-to-day
activities. Example: the procedure to authorize the purchase of
authorization inventories from a designated vendor only when inventory levels
fall to their predetermined reorder points. This called
programmed procedure in which the decision rules are specified in
advance, and no additional approvals are required.
Physical
 Specific authorizations deal with case-by-case decisions
Control: associated with non-routine transactions. Example: The decision
transaction to extend a particular customer’s credit limit beyond the normal
amount.
authorization  Specific authority is usually a management responsibility.
  One of the most important control activities is the segregation of
Physical employee duties to minimize incompatible function.
Control: Segregation of duties can take many forms, depending on the
specific duties to be controlled.
Segregation of  for objectives of segregation of duties, read page 22.
Duty
  In small organizations or in functional areas that lack sufficient
Physical personnel, management must compensate for the absence of
segregation controls with close supervision. For this reason,
Control: supervision is often called a compensating control.
Supervision  An underlying assumption is that the firm employs competent
and trustworthy personnel.
  The accounting records of an organization consist of source
documents, journals, and ledgers. These records capture the
economic essence of transaction and provide an audit trail of
economic events.
 The audit trail enables the auditor to trace any transaction
through all phases of its processing from the initiation of the event
Physical to the financial statements.
Control:  Organizations must maintain audit trails because:
Accounting 1) The information is needed for day-to-day operations. The audit
trail helps employees respond to customer inquiries by showing
Records the current status of transactions in process.
2) The audit trail plays an essential role in the financial audit of
the firm. It enables external (and internal) auditors to verify
selected transactions by tracing them from the financial
statements to the ledger accounts, to the journals, to the
source documents, and back to their original source.
  The purpose of access controls is to ensure that only authorized
personnel have access to the firm’s assets.
Unauthorized access exposes assets to misappropriation,
damage, and theft.
Physical  Access controls can be direct or indirect.

Control: Access  Physical security devices such as locks, safes, fences, and
electronic and infrared alarm systems, control against direct
Controls access.
 Indirect access to assets is achieved by gaining access to the
records and documents that control the use, ownership, and
disposition of the asset.
  Verification procedures are independent checks of the
accounting system to identify errors and misrepresentations.
 It differs from supervision because it takes place after the fact, by
an individual who is not directly involved with the transaction or
Physical task being verified. Supervision takes place while the activity is
being performed, by a supervisor with direct responsibility for the
Control: task.
Independent  Through independent verification procedures, management can
assess (1) the performance of individuals, (2) the integrity of the
Verification transaction processing system, and (3) the correctness of data
contained in accounting records. Examples of independent
verifications:
• Reconciling batch totals at points during transaction processing
• Comparing physical assets with accounting records
Physical
• reconciling subsidiary accounts with control accounts
Control:
• Reviewing management reports (both computer and
Independent manually generated) that summarize business activity
Verification
  Application Controls – ensure the validity, completeness, and
accuracy of financial transactions.
General Controls – are not application-specific but, rather, apply
IT Controls to all systems.
-Although general controls do not control specific transactions,
they have an effect on transaction integrity.
  Examples:
o A cash disbursements batch balancing routine that verifies
that the total payments to vendors reconciles with the total
IT Controls : postings to the accounts payable subsidiary ledger.
Application o An account receivable check digit procedure that validates
customer account numbers on sales transactions.
Controls o A payroll system limit check that identifies and flags
employee time card records with reported hours worked in
excess of the predetermined normal unit.
IT Controls :  includes controls about IT governance, IT infrastructure, security
General and access to operating systems and databases, application
acquisition and development, and program change procedures.
Controls